Businesses are flocking to software-as-a-service applications as a means to improve the efficiency of their operations and the productivity of their employees, but weak control of access to cloud apps is putting the data of many organizations at risk.
According to a study released Tuesday by DoControl, the average 1,000-person company using SaaS apps is exposing its data to between 1,000 and 15,000 external collaborators.
Between 200 and 3,000 companies also have access to a company’s data, it added, while 20 percent of a typical business’s SaaS files are shared internally with anyone who can click a link.
The report cautioned that the risk posed by unmanageable SaaS data access is no isolated or trivial problem.
Forty-three percent of data breaches analyzed in 2020 were attributable to web application vulnerabilities, the report noted. While it may come as a surprise that nearly half of all data breaches can be traced back to SaaS applications, given the growing reliance on those programs by businesses, it makes sense that this is such a huge area of threat.
“On average, a 1,000-person company stores between 500,000 to 10,000,000 assets in SaaS applications,” said Adam Gavish, co-founder and CEO of the New York city-based DoControl, which provides data access monitoring, orchestration, and remediation for SaaS applications.
“Therefore, companies enabling public sharing may unwittingly allow up to 200,000 of these assets to be shared publicly,” he told TechNewsWorld.
The problem is likely to get worse. Gartner predicts that the use of SaaS services will continue to grow, with revenues jumping more than 30 percent from US$110.5 billion in 2020 to $143.7 billion in 2022.
Accelerated by Covid
That growth was given a boost by the worldwide pandemic.
“SaaS solutions have really proven their value since the start of the pandemic,” said Jake Kouns, CEO and CISO of Risk Based Security, a provider of vulnerability intelligence, breach data and risk ratings in Richmond, Va.
“SaaS offerings are easy to set up and usually don’t require IT resources to provision,” he told TechNewsWorld.
“This means that the business can identify problems and procure solutions on their own, in their own time frame,” he said.
“Furthermore,” he continued, “with the shift to remote working, the ability to access a SaaS solution from anywhere with an internet connection is extremely valuable.”
Covid-19 certainly had a big impact on the adoption of cloud services, maintained John Morgan, CEO of Confluera, a cyberthreat tracking platform maker in Palo Alto, Calif.
“While many organizations had already planned such adoption, the timetable was greatly accelerated due to Covid-19 and the need to be able to work remotely,” he told TechNewsWorld.
“The rush to adoption has also created security coverage gaps which are resulting in data exposures and breaches,” he said.
Software Visibility Gap
Liz Herbert, a vice president and principal analyst at Forrester Research, explained that as SaaS took hold in the early 2000s, many individuals and line-of-business executives pursued free and small-scale SaaS offerings that were easy to purchase under the radar because they felt the offerings better met their needs and gave them more speed and agility, compared to corporate-sanctioned options.
“In many cases, they achieved strong business results — at least in the beginning,” she told TechNewsWorld.
“Today, SaaS sprawl has grown to be a significant problem — and in most cases, no one really knows just how big,” she said.
Any assets that are unmanaged pose a risk, added Mark Guntrip, senior director of cybersecurity strategy at Menlo Security, a cloud security provider in Mountain View, Calif.
“As you look at the rise in adoption of SaaS applications, including personal use applications, individuals and even departments can easily introduce a new application without the involvement of IT,” he told TechNewsWorld.
“This can create a visibility gap for security which can impact an organization,” he said.
By design, the cloud obfuscates the inner workings of the applications and the data stored in it, Morgan added.
“While this can offer simplicity to some organizations, the obfuscation can also blur insight into potential threats and attacks,” he said.
“Modern threats leverage this characteristic to hide under the radar to navigate through the organization networks to identify target data,” he added.
Data Everywhere Problem
With the cloud and SaaS platforms of today, the corporate network is no longer the only way to access data, explained Brendan O’Connor, CEO and co-founder ofAppOmni, a cloud security posture management provider in San Francisco.
Data is now frequently accessed through third-party apps, IoT devices in the home, and portals created for external users like customers, partners, contractors, and MSPs, he continued.
“Often, access through these channels completely bypasses the corporate network, instead relying on OAuth tokens or other types of verification,” he told TechNewsWorld.
“While companies are eager to use these access points to increase the functionality of their cloud and SaaS systems,” he said, “they often neglect to secure and monitor them in the same way they’re secured on their corporate network, leading to major access vulnerabilities that may be completely unknown to the company.”
Unmanaged SaaS usage means that sensitive corporate data may proliferate to locations that were never intended to house that type of data, added Sounil Yu, CISO of JupiterOne, a Morrisville, N.C.-based provider of cyber asset management and governance solutions.
“SaaS applications often integrate with other SaaS applications,” he told TechNewsWorld. “If those integrations are also not managed, then organizations risk granting overly permissive and continuous access to their corporate data through multiple SaaS channels.”
What To Do
Organizations are making an effort to reduce the risk posed to their data by SaaS apps without stifling speed, creativity, and business success, Herbert noted.
“The solution is not simple but generally a combination of education, governance, and pre-vetting apps,” she said.
“Some organizations have tried penalties and punishment, but that has had mixed success versus education and smarter sourcing strategies,” she added.
O’Connor maintained that a new approach is needed in order to keep up with quickly changing cloud and SaaS environments.
“Security and IT teams can no longer rely exclusively on in-house expertise and expect to keep up,” he asserted.
“Since the complexity of cloud and SaaS environments — and the associated security configurations — will only continue to increase, companies will need to use automated tools to ensure that their security settings match their business intent and to continuously monitor security controls to prevent configuration drift,” he said.
“This is simply no longer a task that teams will be able to keep up with using only manual processes,” he added.